Here are today’s top cybersecurity stories for Wednesday, April 22, 2026.
Microsoft Issues Emergency Patch for Critical ASP.NET Core Privilege Escalation Flaw CVE-2026-40372
Microsoft released out-of-band security updates to fix a CVSS 9.1 elevation-of-privilege vulnerability in ASP.NET Core’s Data Protection cryptographic APIs. A flaw in the HMAC verification logic within the Microsoft.AspNetCore.DataProtection NuGet package (versions 10.0.0–10.0.6) lets unauthenticated attackers forge authentication cookies and gain SYSTEM-level access. The fix shipped in ASP.NET Core 10.0.7 and applies primarily to Linux deployments. The Hacker News
Self-Spreading npm Supply Chain Attack Compromises 187 Packages and Crosses Into PyPI
Malicious versions of the pgserve npm package (1.1.11–1.1.13), first published April 21, inject a credential-harvesting script stealing npm publish tokens and automatically republishing infected payloads across all packages the victim controls, enabling recursive spread. When PyPI credentials are found on the system, the attack propagates into the Python ecosystem as well using a .pth-based payload. Security researchers confirmed 187 npm packages were infected before detection. Developers must treat all three versions as malicious and rotate all exposed secrets immediately. BleepingComputer
France Titres (ANTS) Confirms Breach of 12 Million Identity Records
France’s National Agency for Secure Documents (ANTS), responsible for managing passports and national identity cards, confirmed a cyberattack first detected April 15, exposing data from approximately 12 million accounts. The threat actor ‘breach3d’ posted 19 million records for sale on a dark web forum, containing names, contact details, dates of birth, postal addresses, gender, and civil status metadata. ANTS notified France’s data protection authority (CNIL), the Paris prosecutor’s office, and national cybersecurity agency ANSSI. BleepingComputer
Scattered Spider Member ‘Tylerb’ Pleads Guilty to $8M Cryptocurrency Theft Scheme
Tyler Robert Buchanan, 24, a British national and senior Scattered Spider member known as ‘Tylerb’, pleaded guilty in California federal court to wire fraud conspiracy and aggravated identity theft. Buchanan admitted to launching tens of thousands of SMS phishing attacks in 2022 targeting Twilio, LastPass, DoorDash, and Mailchimp, and stealing at least $8 million in cryptocurrency from individual victims. He faces a maximum of 22 years in prison with sentencing scheduled for August 21, 2026. Krebs on Security
Over 1,370 Microsoft SharePoint Servers Still Unpatched Against Actively Exploited CVE-2026-32201
Scanning data from the Shadowserver Foundation shows more than 1,370 internet-facing SharePoint Server instances remain unpatched against CVE-2026-32201, an improper input validation vulnerability enabling unauthenticated spoofing attacks. Microsoft patched the flaw on April 14 Patch Tuesday and CISA directed federal agencies to remediate by April 28, but fewer than 200 systems had applied the update as of this week. The vulnerability affects SharePoint Server 2016, 2019, and Subscription Edition. BleepingComputer
BRIDGE:BREAK — 22 Flaws in Lantronix and Silex Serial-to-IP Converters Expose 20,000 OT Devices
Forescout Research Vedere Labs disclosed 22 vulnerabilities, collectively named BRIDGE:BREAK, in Lantronix EDS3000PS/EDS5000 and Silex SD330-AC serial-to-IP converters. The flaws enable remote code execution, OS command injection, and WAF detection bypass, with roughly 20,000 devices exposed online globally. These converters are widely deployed in operational technology, healthcare, and industrial environments to connect legacy serial devices to IP networks. Lantronix and Silex have released patches; organizations should also segment networks and remove internet exposure. The Hacker News
New Lotus Data Wiper Deployed Against Venezuelan Energy and Utilities Sector
Kaspersky researchers disclosed a previously undocumented data-wiping malware, dubbed Lotus Wiper, used against energy and utilities organizations in Venezuela in late 2025 and early 2026. The malware overwrites physical drives, eliminates recovery options, and removes backup mechanisms, with no ransom demands embedded, indicating destructive rather than financial motivation. Lotus Wiper was compiled in September 2025 and deployed around mid-December, aligning with escalating regional geopolitical tensions. BleepingComputer
Harvester APT Deploys Linux GoGra Backdoor Using Microsoft Outlook as Covert C2 Channel
The Harvester threat group has expanded its toolset with a Linux variant of the GoGra backdoor, using Microsoft Graph API and a dedicated Outlook mailbox folder as a covert command-and-control channel. The backdoor polls the inbox every two seconds for emails with “Input” subject lines, decrypts Base64-encoded commands, and executes them via /bin/bash, sending results back via “Output” emails. Artifacts uploaded to VirusTotal from India and Afghanistan suggest South Asian government and media entities are targeted in this espionage campaign. The Hacker News
NIST Stops Scoring Lower-Priority CVEs as Vulnerability Submissions Surge 263% Since 2020
NIST announced it will no longer automatically score all CVEs received by the National Vulnerability Database, prioritizing only those in CISA’s KEV catalog, software used by the federal government, and critical software defined under Executive Order 14028. CVEs outside these criteria will be listed in the NVD but marked “lowest priority” without severity scores, CPE mappings, or weakness classifications. NIST scored nearly 42,000 CVEs in 2025, a 45% year-over-year record, yet still cannot keep pace with the 263% growth in submission volume since 2020. NIST
Apple Account Notifications Abused to Send Convincing Phishing Emails Bypassing SPF, DKIM, and DMARC
Attackers are exploiting Apple’s account-change notification system to embed phishing lures inside legitimate emails originating from Apple’s infrastructure, passing all three email authentication checks. By triggering account-change notifications through minor account modifications, attackers insert fake $899 iPhone purchase alerts with fraudulent call-back numbers into Apple-signed emails. Recipients who call are subjected to social engineering designed to extract credentials or payment data. BleepingComputer
Stay tuned for today’s in-depth analysis posts.
